Cybersecurity Alert: Perseus Malware Spreads Through Fake IPTV Apps, Hits Europe and Turkey

CyberDefender 14 mins0

Mobile malware is no longer what it used to be. In earlier days, attackers relied on simple tricks like fake apps or basic credential theft. Today, however, threats are far more advanced. They evolve constantly to survive in an environment where operating systems are getting stricter, app stores are more secure, and users are becoming more aware.

Modern Android malware doesn’t just attack—it adapts. It learns to use legitimate system features in ways they were never meant to be used. This shift shows how attackers are focusing on staying hidden, maintaining control, and extracting as much value as possible from infected devices.

In this report, we take a close look at a newly discovered Android malware family called Perseus. This threat represents a clear continuation of older malware families but with noticeable improvements in control, stealth, and data collection.

Threat Overview

Perseus is not built from scratch. Instead, it is developed on top of older malware frameworks such as Cerberus and Phoenix. These families have been widely known in the Android threat landscape, especially after Cerberus source code was leaked in 2020.

Perseus builds upon this foundation and transforms it into a more flexible and capable system. It is designed not just to steal data, but to fully control infected devices in real time.

Key Highlights

  • It evolves from earlier malware, showing how threats improve over time
  • It allows attackers to remotely control infected phones
  • It targets sensitive personal data, including user-created notes
  • It includes strong anti-analysis features to avoid detection
  • It spreads through fake IPTV applications
MITRE Mapping of the attack, Source : Threatfabric

Background and Origin

The name “Perseus” comes from its command-and-control (C2) panel login interface. While the name may sound heroic, this malware behaves more like a coordinated system built from multiple past threats.

During analysis, two different versions of Perseus were identified:

  • English-based version – Includes debugging features, logs, and even unusual elements like emojis in code
  • Turkish-based version – More minimal and stealth-focused

The English version suggests that developers may have used modern tools, possibly even AI-assisted coding, due to its structured logging and development style.

Distribution Strategy

Perseus spreads mainly through apps disguised as IPTV services. This is a clever choice for several reasons:

  • IPTV apps are commonly downloaded outside official app stores
  • Users are already familiar with installing APK files manually
  • Suspicion is lower compared to unknown app categories

Instead of directly installing malware, attackers use a dropper app. This dropper bypasses Android 13+ security restrictions and installs the actual payload later.

Interestingly, the same dropper has been used to spread other malware families, showing shared infrastructure between cybercriminal operations.

Targeted Regions

The campaigns show a clear geographic focus. Most victims are located in:

  • Turkey
  • Italy

Other affected regions include Poland, Germany, France, UAE, and Portugal. There is also a strong interest in cryptocurrency-related targets.

This indicates that attackers are not operating randomly. They are choosing regions and sectors strategically.

Core Capabilities

1. Full Device Control

Perseus enables attackers to take over the device almost completely. It uses Android Accessibility Services to perform actions on behalf of the user.

This includes:

  • Clicking buttons
  • Entering text
  • Navigating apps
  • Performing gestures

This allows attackers to carry out fraud, including financial transactions, without the user realizing it.

2. Remote Monitoring (VNC & HVNC Modes)

The malware supports two main remote control methods:

  • VNC Mode: Captures screenshots continuously and sends them to the attacker
  • HVNC Mode: Sends a structured map of the user interface

In VNC mode, attackers see what the user sees in near real time. In HVNC mode, they interact with UI elements programmatically using structured data.

This dual approach gives attackers flexibility depending on the situation.

3. Overlay Attacks and Keylogging

Perseus inherits overlay attack capabilities from Phoenix. It can display fake screens over real apps, tricking users into entering credentials.

At the same time, it logs keystrokes and captures everything displayed on the screen. This makes credential theft highly accurate.

4. Notes Monitoring (Unique Feature)

One of the most interesting additions in Perseus is its ability to scan user notes.

Using a command called scan_notes, the malware:

  • Opens note-taking apps
  • Navigates through saved notes
  • Extracts their content

It targets apps like:

  • Google Keep
  • Samsung Notes
  • Evernote
  • OneNote

This is important because users often store sensitive information in notes, such as:

  • Passwords
  • Recovery phrases
  • Financial details

This feature shows a shift from basic data theft to more contextual intelligence gathering.

5. Anti-Analysis and Detection Avoidance

Perseus includes strong defenses against analysis. Before fully activating, it checks whether it is running in a real device.

It looks for:

  • Root access
  • Debuggers
  • Tools like Frida or Xposed
  • Emulator characteristics
  • Fake hardware profiles
  • Missing system components

It even evaluates:

  • Battery behavior
  • Bluetooth availability
  • Number of installed apps

All these checks are combined into a risk score, which is sent to the attacker. If the environment looks suspicious, the malware may limit its activity.

Operational Behavior

Once installed, Perseus connects to its command server and waits for instructions. It supports a wide range of commands, including:

  • Simulating user actions
  • Launching apps
  • Blocking applications
  • Recording gestures
  • Capturing screen data
  • Injecting overlays

It can also:

  • Mute the device
  • Black out the screen
  • Intercept unlock credentials

This level of control makes it extremely dangerous, especially in financial fraud scenarios.

Indicators of Compromise (IOCs)

Some known indicators include:

  • Malicious package names like com.tvtapps[.]live
  • Dropper apps disguised as IPTV services
  • Suspicious APK sideloading behavior

These indicators can help security teams detect infections early.

SHA-256Package nameApplication name 
1ea8360c4d3b7ccea50e9f19630be9d23df26ac713799e2f8457520c0d29bdda com.xcvuc.ocnsxn Roja App DirectaPerseus Dropper
 2524e9d5ed1e55332fe2d1cc0e7ad4e2656ad5ca624199e6f619325979b3529a  com.tvtapps.live  TvTApp Perseus Payload (English Fork)
 56d3bb5e8771b41b11d368e70ddd26fe6f1e7bd00b3aafcfd4c34ef62f87093d  com.streamview.players  PolBox Tv Perseus Payload (Turkish Fork)

Conclusion

Perseus is not entirely new, but it is a refined version of existing threats. It combines proven techniques with targeted improvements.

Its strength lies in:

  • Reusing reliable malware frameworks
  • Adding selective new features like note monitoring
  • Improving stealth and persistence

This reflects a broader trend in cybersecurity. Attackers are not always inventing new tools—they are improving what already works.

Perseus shows how modern malware is becoming more efficient, more targeted, and harder to detect.

Our Analysis and Opinion

Looking at Perseus from a broader cybersecurity perspective, it represents a clear shift in how mobile threats are evolving today. Instead of focusing purely on innovation, attackers are prioritizing refinement. This is an important distinction. The malware does not introduce completely new techniques, but it combines existing ones in a smarter and more efficient way.

One of the most concerning aspects is its use of legitimate Android features like Accessibility Services. These features were originally designed to help users, especially those with disabilities. However, threats like Perseus show how easily such tools can be misused when proper controls are not enforced. This raises an important question for platform developers: how can functionality be preserved while preventing abuse?

Another key observation is the focus on contextual data, particularly note-taking applications. Traditionally, malware targeted passwords and banking credentials. Perseus goes a step further by collecting user-generated content. This suggests attackers are now interested in understanding users, not just exploiting them. Personal notes can contain recovery keys, private information, and sensitive thoughts, making them extremely valuable.

The distribution method is also worth noting. By using IPTV-themed apps, attackers are exploiting user behavior rather than just technical vulnerabilities. Many users already trust and sideload such apps, which reduces friction for infection. This highlights the growing importance of user awareness alongside technical defenses.

From a defensive standpoint, Perseus demonstrates how difficult detection has become. Its anti-analysis checks are thorough and well-designed. Traditional sandboxing techniques may fail if malware can accurately detect artificial environments. This means security solutions must evolve as well, possibly incorporating more realistic simulation environments.

In our view, Perseus is not just another malware sample—it is a signal. It shows that the future of mobile threats lies in adaptability, stealth, and intelligent data collection. Organizations and individuals must move beyond reactive security and adopt proactive strategies, including behavior-based detection and stricter app installation policies.

Ultimately, Perseus reinforces a simple but critical truth: cybersecurity is no longer just about blocking attacks—it is about understanding how attackers think and evolve.

CyberDefender